Coverage for /pythoncovmergedfiles/medio/medio/usr/local/lib/python3.8/site-packages/google/auth/transport/requests.py: 31%

183 statements  

« prev     ^ index     » next       coverage.py v7.3.1, created at 2023-09-25 06:37 +0000

1# Copyright 2016 Google LLC 

2# 

3# Licensed under the Apache License, Version 2.0 (the "License"); 

4# you may not use this file except in compliance with the License. 

5# You may obtain a copy of the License at 

6# 

7# http://www.apache.org/licenses/LICENSE-2.0 

8# 

9# Unless required by applicable law or agreed to in writing, software 

10# distributed under the License is distributed on an "AS IS" BASIS, 

11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 

12# See the License for the specific language governing permissions and 

13# limitations under the License. 

14 

15"""Transport adapter for Requests.""" 

16 

17from __future__ import absolute_import 

18 

19import functools 

20import logging 

21import numbers 

22import os 

23import time 

24 

25try: 

26 import requests 

27except ImportError as caught_exc: # pragma: NO COVER 

28 raise ImportError( 

29 "The requests library is not installed from please install the requests package to use the requests transport." 

30 ) from caught_exc 

31import requests.adapters # pylint: disable=ungrouped-imports 

32import requests.exceptions # pylint: disable=ungrouped-imports 

33from requests.packages.urllib3.util.ssl_ import ( # type: ignore 

34 create_urllib3_context, 

35) # pylint: disable=ungrouped-imports 

36 

37from google.auth import environment_vars 

38from google.auth import exceptions 

39from google.auth import transport 

40import google.auth.transport._mtls_helper 

41from google.oauth2 import service_account 

42 

43_LOGGER = logging.getLogger(__name__) 

44 

45_DEFAULT_TIMEOUT = 120 # in seconds 

46 

47 

48class _Response(transport.Response): 

49 """Requests transport response adapter. 

50 

51 Args: 

52 response (requests.Response): The raw Requests response. 

53 """ 

54 

55 def __init__(self, response): 

56 self._response = response 

57 

58 @property 

59 def status(self): 

60 return self._response.status_code 

61 

62 @property 

63 def headers(self): 

64 return self._response.headers 

65 

66 @property 

67 def data(self): 

68 return self._response.content 

69 

70 

71class TimeoutGuard(object): 

72 """A context manager raising an error if the suite execution took too long. 

73 

74 Args: 

75 timeout (Union[None, Union[float, Tuple[float, float]]]): 

76 The maximum number of seconds a suite can run without the context 

77 manager raising a timeout exception on exit. If passed as a tuple, 

78 the smaller of the values is taken as a timeout. If ``None``, a 

79 timeout error is never raised. 

80 timeout_error_type (Optional[Exception]): 

81 The type of the error to raise on timeout. Defaults to 

82 :class:`requests.exceptions.Timeout`. 

83 """ 

84 

85 def __init__(self, timeout, timeout_error_type=requests.exceptions.Timeout): 

86 self._timeout = timeout 

87 self.remaining_timeout = timeout 

88 self._timeout_error_type = timeout_error_type 

89 

90 def __enter__(self): 

91 self._start = time.time() 

92 return self 

93 

94 def __exit__(self, exc_type, exc_value, traceback): 

95 if exc_value: 

96 return # let the error bubble up automatically 

97 

98 if self._timeout is None: 

99 return # nothing to do, the timeout was not specified 

100 

101 elapsed = time.time() - self._start 

102 deadline_hit = False 

103 

104 if isinstance(self._timeout, numbers.Number): 

105 self.remaining_timeout = self._timeout - elapsed 

106 deadline_hit = self.remaining_timeout <= 0 

107 else: 

108 self.remaining_timeout = tuple(x - elapsed for x in self._timeout) 

109 deadline_hit = min(self.remaining_timeout) <= 0 

110 

111 if deadline_hit: 

112 raise self._timeout_error_type() 

113 

114 

115class Request(transport.Request): 

116 """Requests request adapter. 

117 

118 This class is used internally for making requests using various transports 

119 in a consistent way. If you use :class:`AuthorizedSession` you do not need 

120 to construct or use this class directly. 

121 

122 This class can be useful if you want to manually refresh a 

123 :class:`~google.auth.credentials.Credentials` instance:: 

124 

125 import google.auth.transport.requests 

126 import requests 

127 

128 request = google.auth.transport.requests.Request() 

129 

130 credentials.refresh(request) 

131 

132 Args: 

133 session (requests.Session): An instance :class:`requests.Session` used 

134 to make HTTP requests. If not specified, a session will be created. 

135 

136 .. automethod:: __call__ 

137 """ 

138 

139 def __init__(self, session=None): 

140 if not session: 

141 session = requests.Session() 

142 

143 self.session = session 

144 

145 def __del__(self): 

146 try: 

147 if hasattr(self, "session") and self.session is not None: 

148 self.session.close() 

149 except TypeError: 

150 # NOTE: For certain Python binary built, the queue.Empty exception 

151 # might not be considered a normal Python exception causing 

152 # TypeError. 

153 pass 

154 

155 def __call__( 

156 self, 

157 url, 

158 method="GET", 

159 body=None, 

160 headers=None, 

161 timeout=_DEFAULT_TIMEOUT, 

162 **kwargs 

163 ): 

164 """Make an HTTP request using requests. 

165 

166 Args: 

167 url (str): The URI to be requested. 

168 method (str): The HTTP method to use for the request. Defaults 

169 to 'GET'. 

170 body (bytes): The payload or body in HTTP request. 

171 headers (Mapping[str, str]): Request headers. 

172 timeout (Optional[int]): The number of seconds to wait for a 

173 response from the server. If not specified or if None, the 

174 requests default timeout will be used. 

175 kwargs: Additional arguments passed through to the underlying 

176 requests :meth:`~requests.Session.request` method. 

177 

178 Returns: 

179 google.auth.transport.Response: The HTTP response. 

180 

181 Raises: 

182 google.auth.exceptions.TransportError: If any exception occurred. 

183 """ 

184 try: 

185 _LOGGER.debug("Making request: %s %s", method, url) 

186 response = self.session.request( 

187 method, url, data=body, headers=headers, timeout=timeout, **kwargs 

188 ) 

189 return _Response(response) 

190 except requests.exceptions.RequestException as caught_exc: 

191 new_exc = exceptions.TransportError(caught_exc) 

192 raise new_exc from caught_exc 

193 

194 

195class _MutualTlsAdapter(requests.adapters.HTTPAdapter): 

196 """ 

197 A TransportAdapter that enables mutual TLS. 

198 

199 Args: 

200 cert (bytes): client certificate in PEM format 

201 key (bytes): client private key in PEM format 

202 

203 Raises: 

204 ImportError: if certifi or pyOpenSSL is not installed 

205 OpenSSL.crypto.Error: if client cert or key is invalid 

206 """ 

207 

208 def __init__(self, cert, key): 

209 import certifi 

210 from OpenSSL import crypto 

211 import urllib3.contrib.pyopenssl # type: ignore 

212 

213 urllib3.contrib.pyopenssl.inject_into_urllib3() 

214 

215 pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, key) 

216 x509 = crypto.load_certificate(crypto.FILETYPE_PEM, cert) 

217 

218 ctx_poolmanager = create_urllib3_context() 

219 ctx_poolmanager.load_verify_locations(cafile=certifi.where()) 

220 ctx_poolmanager._ctx.use_certificate(x509) 

221 ctx_poolmanager._ctx.use_privatekey(pkey) 

222 self._ctx_poolmanager = ctx_poolmanager 

223 

224 ctx_proxymanager = create_urllib3_context() 

225 ctx_proxymanager.load_verify_locations(cafile=certifi.where()) 

226 ctx_proxymanager._ctx.use_certificate(x509) 

227 ctx_proxymanager._ctx.use_privatekey(pkey) 

228 self._ctx_proxymanager = ctx_proxymanager 

229 

230 super(_MutualTlsAdapter, self).__init__() 

231 

232 def init_poolmanager(self, *args, **kwargs): 

233 kwargs["ssl_context"] = self._ctx_poolmanager 

234 super(_MutualTlsAdapter, self).init_poolmanager(*args, **kwargs) 

235 

236 def proxy_manager_for(self, *args, **kwargs): 

237 kwargs["ssl_context"] = self._ctx_proxymanager 

238 return super(_MutualTlsAdapter, self).proxy_manager_for(*args, **kwargs) 

239 

240 

241class _MutualTlsOffloadAdapter(requests.adapters.HTTPAdapter): 

242 """ 

243 A TransportAdapter that enables mutual TLS and offloads the client side 

244 signing operation to the signing library. 

245 

246 Args: 

247 enterprise_cert_file_path (str): the path to a enterprise cert JSON 

248 file. The file should contain the following field: 

249 

250 { 

251 "libs": { 

252 "signer_library": "...", 

253 "offload_library": "..." 

254 } 

255 } 

256 

257 Raises: 

258 ImportError: if certifi or pyOpenSSL is not installed 

259 google.auth.exceptions.MutualTLSChannelError: If mutual TLS channel 

260 creation failed for any reason. 

261 """ 

262 

263 def __init__(self, enterprise_cert_file_path): 

264 import certifi 

265 import urllib3.contrib.pyopenssl 

266 

267 from google.auth.transport import _custom_tls_signer 

268 

269 # Call inject_into_urllib3 to activate certificate checking. See the 

270 # following links for more info: 

271 # (1) doc: https://github.com/urllib3/urllib3/blob/cb9ebf8aac5d75f64c8551820d760b72b619beff/src/urllib3/contrib/pyopenssl.py#L31-L32 

272 # (2) mTLS example: https://github.com/urllib3/urllib3/issues/474#issuecomment-253168415 

273 urllib3.contrib.pyopenssl.inject_into_urllib3() 

274 

275 self.signer = _custom_tls_signer.CustomTlsSigner(enterprise_cert_file_path) 

276 self.signer.load_libraries() 

277 self.signer.set_up_custom_key() 

278 

279 poolmanager = create_urllib3_context() 

280 poolmanager.load_verify_locations(cafile=certifi.where()) 

281 self.signer.attach_to_ssl_context(poolmanager) 

282 self._ctx_poolmanager = poolmanager 

283 

284 proxymanager = create_urllib3_context() 

285 proxymanager.load_verify_locations(cafile=certifi.where()) 

286 self.signer.attach_to_ssl_context(proxymanager) 

287 self._ctx_proxymanager = proxymanager 

288 

289 super(_MutualTlsOffloadAdapter, self).__init__() 

290 

291 def init_poolmanager(self, *args, **kwargs): 

292 kwargs["ssl_context"] = self._ctx_poolmanager 

293 super(_MutualTlsOffloadAdapter, self).init_poolmanager(*args, **kwargs) 

294 

295 def proxy_manager_for(self, *args, **kwargs): 

296 kwargs["ssl_context"] = self._ctx_proxymanager 

297 return super(_MutualTlsOffloadAdapter, self).proxy_manager_for(*args, **kwargs) 

298 

299 

300class AuthorizedSession(requests.Session): 

301 """A Requests Session class with credentials. 

302 

303 This class is used to perform requests to API endpoints that require 

304 authorization:: 

305 

306 from google.auth.transport.requests import AuthorizedSession 

307 

308 authed_session = AuthorizedSession(credentials) 

309 

310 response = authed_session.request( 

311 'GET', 'https://www.googleapis.com/storage/v1/b') 

312 

313 

314 The underlying :meth:`request` implementation handles adding the 

315 credentials' headers to the request and refreshing credentials as needed. 

316 

317 This class also supports mutual TLS via :meth:`configure_mtls_channel` 

318 method. In order to use this method, the `GOOGLE_API_USE_CLIENT_CERTIFICATE` 

319 environment variable must be explicitly set to ``true``, otherwise it does 

320 nothing. Assume the environment is set to ``true``, the method behaves in the 

321 following manner: 

322 

323 If client_cert_callback is provided, client certificate and private 

324 key are loaded using the callback; if client_cert_callback is None, 

325 application default SSL credentials will be used. Exceptions are raised if 

326 there are problems with the certificate, private key, or the loading process, 

327 so it should be called within a try/except block. 

328 

329 First we set the environment variable to ``true``, then create an :class:`AuthorizedSession` 

330 instance and specify the endpoints:: 

331 

332 regular_endpoint = 'https://pubsub.googleapis.com/v1/projects/{my_project_id}/topics' 

333 mtls_endpoint = 'https://pubsub.mtls.googleapis.com/v1/projects/{my_project_id}/topics' 

334 

335 authed_session = AuthorizedSession(credentials) 

336 

337 Now we can pass a callback to :meth:`configure_mtls_channel`:: 

338 

339 def my_cert_callback(): 

340 # some code to load client cert bytes and private key bytes, both in 

341 # PEM format. 

342 some_code_to_load_client_cert_and_key() 

343 if loaded: 

344 return cert, key 

345 raise MyClientCertFailureException() 

346 

347 # Always call configure_mtls_channel within a try/except block. 

348 try: 

349 authed_session.configure_mtls_channel(my_cert_callback) 

350 except: 

351 # handle exceptions. 

352 

353 if authed_session.is_mtls: 

354 response = authed_session.request('GET', mtls_endpoint) 

355 else: 

356 response = authed_session.request('GET', regular_endpoint) 

357 

358 

359 You can alternatively use application default SSL credentials like this:: 

360 

361 try: 

362 authed_session.configure_mtls_channel() 

363 except: 

364 # handle exceptions. 

365 

366 Args: 

367 credentials (google.auth.credentials.Credentials): The credentials to 

368 add to the request. 

369 refresh_status_codes (Sequence[int]): Which HTTP status codes indicate 

370 that credentials should be refreshed and the request should be 

371 retried. 

372 max_refresh_attempts (int): The maximum number of times to attempt to 

373 refresh the credentials and retry the request. 

374 refresh_timeout (Optional[int]): The timeout value in seconds for 

375 credential refresh HTTP requests. 

376 auth_request (google.auth.transport.requests.Request): 

377 (Optional) An instance of 

378 :class:`~google.auth.transport.requests.Request` used when 

379 refreshing credentials. If not passed, 

380 an instance of :class:`~google.auth.transport.requests.Request` 

381 is created. 

382 default_host (Optional[str]): A host like "pubsub.googleapis.com". 

383 This is used when a self-signed JWT is created from service 

384 account credentials. 

385 """ 

386 

387 def __init__( 

388 self, 

389 credentials, 

390 refresh_status_codes=transport.DEFAULT_REFRESH_STATUS_CODES, 

391 max_refresh_attempts=transport.DEFAULT_MAX_REFRESH_ATTEMPTS, 

392 refresh_timeout=None, 

393 auth_request=None, 

394 default_host=None, 

395 ): 

396 super(AuthorizedSession, self).__init__() 

397 self.credentials = credentials 

398 self._refresh_status_codes = refresh_status_codes 

399 self._max_refresh_attempts = max_refresh_attempts 

400 self._refresh_timeout = refresh_timeout 

401 self._is_mtls = False 

402 self._default_host = default_host 

403 

404 if auth_request is None: 

405 self._auth_request_session = requests.Session() 

406 

407 # Using an adapter to make HTTP requests robust to network errors. 

408 # This adapter retrys HTTP requests when network errors occur 

409 # and the requests seems safely retryable. 

410 retry_adapter = requests.adapters.HTTPAdapter(max_retries=3) 

411 self._auth_request_session.mount("https://", retry_adapter) 

412 

413 # Do not pass `self` as the session here, as it can lead to 

414 # infinite recursion. 

415 auth_request = Request(self._auth_request_session) 

416 else: 

417 self._auth_request_session = None 

418 

419 # Request instance used by internal methods (for example, 

420 # credentials.refresh). 

421 self._auth_request = auth_request 

422 

423 # https://google.aip.dev/auth/4111 

424 # Attempt to use self-signed JWTs when a service account is used. 

425 if isinstance(self.credentials, service_account.Credentials): 

426 self.credentials._create_self_signed_jwt( 

427 "https://{}/".format(self._default_host) if self._default_host else None 

428 ) 

429 

430 def configure_mtls_channel(self, client_cert_callback=None): 

431 """Configure the client certificate and key for SSL connection. 

432 

433 The function does nothing unless `GOOGLE_API_USE_CLIENT_CERTIFICATE` is 

434 explicitly set to `true`. In this case if client certificate and key are 

435 successfully obtained (from the given client_cert_callback or from application 

436 default SSL credentials), a :class:`_MutualTlsAdapter` instance will be mounted 

437 to "https://" prefix. 

438 

439 Args: 

440 client_cert_callback (Optional[Callable[[], (bytes, bytes)]]): 

441 The optional callback returns the client certificate and private 

442 key bytes both in PEM format. 

443 If the callback is None, application default SSL credentials 

444 will be used. 

445 

446 Raises: 

447 google.auth.exceptions.MutualTLSChannelError: If mutual TLS channel 

448 creation failed for any reason. 

449 """ 

450 use_client_cert = os.getenv( 

451 environment_vars.GOOGLE_API_USE_CLIENT_CERTIFICATE, "false" 

452 ) 

453 if use_client_cert != "true": 

454 self._is_mtls = False 

455 return 

456 

457 try: 

458 import OpenSSL 

459 except ImportError as caught_exc: 

460 new_exc = exceptions.MutualTLSChannelError(caught_exc) 

461 raise new_exc from caught_exc 

462 

463 try: 

464 ( 

465 self._is_mtls, 

466 cert, 

467 key, 

468 ) = google.auth.transport._mtls_helper.get_client_cert_and_key( 

469 client_cert_callback 

470 ) 

471 

472 if self._is_mtls: 

473 mtls_adapter = _MutualTlsAdapter(cert, key) 

474 self.mount("https://", mtls_adapter) 

475 except ( 

476 exceptions.ClientCertError, 

477 ImportError, 

478 OpenSSL.crypto.Error, 

479 ) as caught_exc: 

480 new_exc = exceptions.MutualTLSChannelError(caught_exc) 

481 raise new_exc from caught_exc 

482 

483 def request( 

484 self, 

485 method, 

486 url, 

487 data=None, 

488 headers=None, 

489 max_allowed_time=None, 

490 timeout=_DEFAULT_TIMEOUT, 

491 **kwargs 

492 ): 

493 """Implementation of Requests' request. 

494 

495 Args: 

496 timeout (Optional[Union[float, Tuple[float, float]]]): 

497 The amount of time in seconds to wait for the server response 

498 with each individual request. Can also be passed as a tuple 

499 ``(connect_timeout, read_timeout)``. See :meth:`requests.Session.request` 

500 documentation for details. 

501 max_allowed_time (Optional[float]): 

502 If the method runs longer than this, a ``Timeout`` exception is 

503 automatically raised. Unlike the ``timeout`` parameter, this 

504 value applies to the total method execution time, even if 

505 multiple requests are made under the hood. 

506 

507 Mind that it is not guaranteed that the timeout error is raised 

508 at ``max_allowed_time``. It might take longer, for example, if 

509 an underlying request takes a lot of time, but the request 

510 itself does not timeout, e.g. if a large file is being 

511 transmitted. The timout error will be raised after such 

512 request completes. 

513 """ 

514 # pylint: disable=arguments-differ 

515 # Requests has a ton of arguments to request, but only two 

516 # (method, url) are required. We pass through all of the other 

517 # arguments to super, so no need to exhaustively list them here. 

518 

519 # Use a kwarg for this instead of an attribute to maintain 

520 # thread-safety. 

521 _credential_refresh_attempt = kwargs.pop("_credential_refresh_attempt", 0) 

522 

523 # Make a copy of the headers. They will be modified by the credentials 

524 # and we want to pass the original headers if we recurse. 

525 request_headers = headers.copy() if headers is not None else {} 

526 

527 # Do not apply the timeout unconditionally in order to not override the 

528 # _auth_request's default timeout. 

529 auth_request = ( 

530 self._auth_request 

531 if timeout is None 

532 else functools.partial(self._auth_request, timeout=timeout) 

533 ) 

534 

535 remaining_time = max_allowed_time 

536 

537 with TimeoutGuard(remaining_time) as guard: 

538 self.credentials.before_request(auth_request, method, url, request_headers) 

539 remaining_time = guard.remaining_timeout 

540 

541 with TimeoutGuard(remaining_time) as guard: 

542 response = super(AuthorizedSession, self).request( 

543 method, 

544 url, 

545 data=data, 

546 headers=request_headers, 

547 timeout=timeout, 

548 **kwargs 

549 ) 

550 remaining_time = guard.remaining_timeout 

551 

552 # If the response indicated that the credentials needed to be 

553 # refreshed, then refresh the credentials and re-attempt the 

554 # request. 

555 # A stored token may expire between the time it is retrieved and 

556 # the time the request is made, so we may need to try twice. 

557 if ( 

558 response.status_code in self._refresh_status_codes 

559 and _credential_refresh_attempt < self._max_refresh_attempts 

560 ): 

561 

562 _LOGGER.info( 

563 "Refreshing credentials due to a %s response. Attempt %s/%s.", 

564 response.status_code, 

565 _credential_refresh_attempt + 1, 

566 self._max_refresh_attempts, 

567 ) 

568 

569 # Do not apply the timeout unconditionally in order to not override the 

570 # _auth_request's default timeout. 

571 auth_request = ( 

572 self._auth_request 

573 if timeout is None 

574 else functools.partial(self._auth_request, timeout=timeout) 

575 ) 

576 

577 with TimeoutGuard(remaining_time) as guard: 

578 self.credentials.refresh(auth_request) 

579 remaining_time = guard.remaining_timeout 

580 

581 # Recurse. Pass in the original headers, not our modified set, but 

582 # do pass the adjusted max allowed time (i.e. the remaining total time). 

583 return self.request( 

584 method, 

585 url, 

586 data=data, 

587 headers=headers, 

588 max_allowed_time=remaining_time, 

589 timeout=timeout, 

590 _credential_refresh_attempt=_credential_refresh_attempt + 1, 

591 **kwargs 

592 ) 

593 

594 return response 

595 

596 @property 

597 def is_mtls(self): 

598 """Indicates if the created SSL channel is mutual TLS.""" 

599 return self._is_mtls 

600 

601 def close(self): 

602 if self._auth_request_session is not None: 

603 self._auth_request_session.close() 

604 super(AuthorizedSession, self).close()