Shortcuts on this page
r m x toggle line displays
j k next/prev highlighted chunk
0 (zero) top of page
1 (one) first highlighted chunk
1# Copyright 2016 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
15"""Transport adapter for Requests."""
17from __future__ import absolute_import
19import functools
20import logging
21import numbers
22import os
23import time
25try:
26 import requests
27except ImportError as caught_exc: # pragma: NO COVER
28 raise ImportError(
29 "The requests library is not installed from please install the requests package to use the requests transport."
30 ) from caught_exc
31import requests.adapters # pylint: disable=ungrouped-imports
32import requests.exceptions # pylint: disable=ungrouped-imports
33from requests.packages.urllib3.util.ssl_ import ( # type: ignore
34 create_urllib3_context,
35) # pylint: disable=ungrouped-imports
37from google.auth import environment_vars
38from google.auth import exceptions
39from google.auth import transport
40import google.auth.transport._mtls_helper
41from google.oauth2 import service_account
43_LOGGER = logging.getLogger(__name__)
45_DEFAULT_TIMEOUT = 120 # in seconds
48class _Response(transport.Response):
49 """Requests transport response adapter.
51 Args:
52 response (requests.Response): The raw Requests response.
53 """
55 def __init__(self, response):
56 self._response = response
58 @property
59 def status(self):
60 return self._response.status_code
62 @property
63 def headers(self):
64 return self._response.headers
66 @property
67 def data(self):
68 return self._response.content
71class TimeoutGuard(object):
72 """A context manager raising an error if the suite execution took too long.
74 Args:
75 timeout (Union[None, Union[float, Tuple[float, float]]]):
76 The maximum number of seconds a suite can run without the context
77 manager raising a timeout exception on exit. If passed as a tuple,
78 the smaller of the values is taken as a timeout. If ``None``, a
79 timeout error is never raised.
80 timeout_error_type (Optional[Exception]):
81 The type of the error to raise on timeout. Defaults to
82 :class:`requests.exceptions.Timeout`.
83 """
85 def __init__(self, timeout, timeout_error_type=requests.exceptions.Timeout):
86 self._timeout = timeout
87 self.remaining_timeout = timeout
88 self._timeout_error_type = timeout_error_type
90 def __enter__(self):
91 self._start = time.time()
92 return self
94 def __exit__(self, exc_type, exc_value, traceback):
95 if exc_value:
96 return # let the error bubble up automatically
98 if self._timeout is None:
99 return # nothing to do, the timeout was not specified
101 elapsed = time.time() - self._start
102 deadline_hit = False
104 if isinstance(self._timeout, numbers.Number):
105 self.remaining_timeout = self._timeout - elapsed
106 deadline_hit = self.remaining_timeout <= 0
107 else:
108 self.remaining_timeout = tuple(x - elapsed for x in self._timeout)
109 deadline_hit = min(self.remaining_timeout) <= 0
111 if deadline_hit:
112 raise self._timeout_error_type()
115class Request(transport.Request):
116 """Requests request adapter.
118 This class is used internally for making requests using various transports
119 in a consistent way. If you use :class:`AuthorizedSession` you do not need
120 to construct or use this class directly.
122 This class can be useful if you want to manually refresh a
123 :class:`~google.auth.credentials.Credentials` instance::
125 import google.auth.transport.requests
126 import requests
128 request = google.auth.transport.requests.Request()
130 credentials.refresh(request)
132 Args:
133 session (requests.Session): An instance :class:`requests.Session` used
134 to make HTTP requests. If not specified, a session will be created.
136 .. automethod:: __call__
137 """
139 def __init__(self, session=None):
140 if not session:
141 session = requests.Session()
143 self.session = session
145 def __del__(self):
146 try:
147 if hasattr(self, "session") and self.session is not None:
148 self.session.close()
149 except TypeError:
150 # NOTE: For certain Python binary built, the queue.Empty exception
151 # might not be considered a normal Python exception causing
152 # TypeError.
153 pass
155 def __call__(
156 self,
157 url,
158 method="GET",
159 body=None,
160 headers=None,
161 timeout=_DEFAULT_TIMEOUT,
162 **kwargs
163 ):
164 """Make an HTTP request using requests.
166 Args:
167 url (str): The URI to be requested.
168 method (str): The HTTP method to use for the request. Defaults
169 to 'GET'.
170 body (bytes): The payload or body in HTTP request.
171 headers (Mapping[str, str]): Request headers.
172 timeout (Optional[int]): The number of seconds to wait for a
173 response from the server. If not specified or if None, the
174 requests default timeout will be used.
175 kwargs: Additional arguments passed through to the underlying
176 requests :meth:`~requests.Session.request` method.
178 Returns:
179 google.auth.transport.Response: The HTTP response.
181 Raises:
182 google.auth.exceptions.TransportError: If any exception occurred.
183 """
184 try:
185 _LOGGER.debug("Making request: %s %s", method, url)
186 response = self.session.request(
187 method, url, data=body, headers=headers, timeout=timeout, **kwargs
188 )
189 return _Response(response)
190 except requests.exceptions.RequestException as caught_exc:
191 new_exc = exceptions.TransportError(caught_exc)
192 raise new_exc from caught_exc
195class _MutualTlsAdapter(requests.adapters.HTTPAdapter):
196 """
197 A TransportAdapter that enables mutual TLS.
199 Args:
200 cert (bytes): client certificate in PEM format
201 key (bytes): client private key in PEM format
203 Raises:
204 ImportError: if certifi or pyOpenSSL is not installed
205 OpenSSL.crypto.Error: if client cert or key is invalid
206 """
208 def __init__(self, cert, key):
209 import certifi
210 from OpenSSL import crypto
211 import urllib3.contrib.pyopenssl # type: ignore
213 urllib3.contrib.pyopenssl.inject_into_urllib3()
215 pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, key)
216 x509 = crypto.load_certificate(crypto.FILETYPE_PEM, cert)
218 ctx_poolmanager = create_urllib3_context()
219 ctx_poolmanager.load_verify_locations(cafile=certifi.where())
220 ctx_poolmanager._ctx.use_certificate(x509)
221 ctx_poolmanager._ctx.use_privatekey(pkey)
222 self._ctx_poolmanager = ctx_poolmanager
224 ctx_proxymanager = create_urllib3_context()
225 ctx_proxymanager.load_verify_locations(cafile=certifi.where())
226 ctx_proxymanager._ctx.use_certificate(x509)
227 ctx_proxymanager._ctx.use_privatekey(pkey)
228 self._ctx_proxymanager = ctx_proxymanager
230 super(_MutualTlsAdapter, self).__init__()
232 def init_poolmanager(self, *args, **kwargs):
233 kwargs["ssl_context"] = self._ctx_poolmanager
234 super(_MutualTlsAdapter, self).init_poolmanager(*args, **kwargs)
236 def proxy_manager_for(self, *args, **kwargs):
237 kwargs["ssl_context"] = self._ctx_proxymanager
238 return super(_MutualTlsAdapter, self).proxy_manager_for(*args, **kwargs)
241class _MutualTlsOffloadAdapter(requests.adapters.HTTPAdapter):
242 """
243 A TransportAdapter that enables mutual TLS and offloads the client side
244 signing operation to the signing library.
246 Args:
247 enterprise_cert_file_path (str): the path to a enterprise cert JSON
248 file. The file should contain the following field:
250 {
251 "libs": {
252 "signer_library": "...",
253 "offload_library": "..."
254 }
255 }
257 Raises:
258 ImportError: if certifi or pyOpenSSL is not installed
259 google.auth.exceptions.MutualTLSChannelError: If mutual TLS channel
260 creation failed for any reason.
261 """
263 def __init__(self, enterprise_cert_file_path):
264 import certifi
265 from google.auth.transport import _custom_tls_signer
267 self.signer = _custom_tls_signer.CustomTlsSigner(enterprise_cert_file_path)
268 self.signer.load_libraries()
270 import urllib3.contrib.pyopenssl
272 urllib3.contrib.pyopenssl.inject_into_urllib3()
274 poolmanager = create_urllib3_context()
275 poolmanager.load_verify_locations(cafile=certifi.where())
276 self.signer.attach_to_ssl_context(poolmanager)
277 self._ctx_poolmanager = poolmanager
279 proxymanager = create_urllib3_context()
280 proxymanager.load_verify_locations(cafile=certifi.where())
281 self.signer.attach_to_ssl_context(proxymanager)
282 self._ctx_proxymanager = proxymanager
284 super(_MutualTlsOffloadAdapter, self).__init__()
286 def init_poolmanager(self, *args, **kwargs):
287 kwargs["ssl_context"] = self._ctx_poolmanager
288 super(_MutualTlsOffloadAdapter, self).init_poolmanager(*args, **kwargs)
290 def proxy_manager_for(self, *args, **kwargs):
291 kwargs["ssl_context"] = self._ctx_proxymanager
292 return super(_MutualTlsOffloadAdapter, self).proxy_manager_for(*args, **kwargs)
295class AuthorizedSession(requests.Session):
296 """A Requests Session class with credentials.
298 This class is used to perform requests to API endpoints that require
299 authorization::
301 from google.auth.transport.requests import AuthorizedSession
303 authed_session = AuthorizedSession(credentials)
305 response = authed_session.request(
306 'GET', 'https://www.googleapis.com/storage/v1/b')
309 The underlying :meth:`request` implementation handles adding the
310 credentials' headers to the request and refreshing credentials as needed.
312 This class also supports mutual TLS via :meth:`configure_mtls_channel`
313 method. In order to use this method, the `GOOGLE_API_USE_CLIENT_CERTIFICATE`
314 environment variable must be explicitly set to ``true``, otherwise it does
315 nothing. Assume the environment is set to ``true``, the method behaves in the
316 following manner:
318 If client_cert_callback is provided, client certificate and private
319 key are loaded using the callback; if client_cert_callback is None,
320 application default SSL credentials will be used. Exceptions are raised if
321 there are problems with the certificate, private key, or the loading process,
322 so it should be called within a try/except block.
324 First we set the environment variable to ``true``, then create an :class:`AuthorizedSession`
325 instance and specify the endpoints::
327 regular_endpoint = 'https://pubsub.googleapis.com/v1/projects/{my_project_id}/topics'
328 mtls_endpoint = 'https://pubsub.mtls.googleapis.com/v1/projects/{my_project_id}/topics'
330 authed_session = AuthorizedSession(credentials)
332 Now we can pass a callback to :meth:`configure_mtls_channel`::
334 def my_cert_callback():
335 # some code to load client cert bytes and private key bytes, both in
336 # PEM format.
337 some_code_to_load_client_cert_and_key()
338 if loaded:
339 return cert, key
340 raise MyClientCertFailureException()
342 # Always call configure_mtls_channel within a try/except block.
343 try:
344 authed_session.configure_mtls_channel(my_cert_callback)
345 except:
346 # handle exceptions.
348 if authed_session.is_mtls:
349 response = authed_session.request('GET', mtls_endpoint)
350 else:
351 response = authed_session.request('GET', regular_endpoint)
354 You can alternatively use application default SSL credentials like this::
356 try:
357 authed_session.configure_mtls_channel()
358 except:
359 # handle exceptions.
361 Args:
362 credentials (google.auth.credentials.Credentials): The credentials to
363 add to the request.
364 refresh_status_codes (Sequence[int]): Which HTTP status codes indicate
365 that credentials should be refreshed and the request should be
366 retried.
367 max_refresh_attempts (int): The maximum number of times to attempt to
368 refresh the credentials and retry the request.
369 refresh_timeout (Optional[int]): The timeout value in seconds for
370 credential refresh HTTP requests.
371 auth_request (google.auth.transport.requests.Request):
372 (Optional) An instance of
373 :class:`~google.auth.transport.requests.Request` used when
374 refreshing credentials. If not passed,
375 an instance of :class:`~google.auth.transport.requests.Request`
376 is created.
377 default_host (Optional[str]): A host like "pubsub.googleapis.com".
378 This is used when a self-signed JWT is created from service
379 account credentials.
380 """
382 def __init__(
383 self,
384 credentials,
385 refresh_status_codes=transport.DEFAULT_REFRESH_STATUS_CODES,
386 max_refresh_attempts=transport.DEFAULT_MAX_REFRESH_ATTEMPTS,
387 refresh_timeout=None,
388 auth_request=None,
389 default_host=None,
390 ):
391 super(AuthorizedSession, self).__init__()
392 self.credentials = credentials
393 self._refresh_status_codes = refresh_status_codes
394 self._max_refresh_attempts = max_refresh_attempts
395 self._refresh_timeout = refresh_timeout
396 self._is_mtls = False
397 self._default_host = default_host
399 if auth_request is None:
400 self._auth_request_session = requests.Session()
402 # Using an adapter to make HTTP requests robust to network errors.
403 # This adapter retrys HTTP requests when network errors occur
404 # and the requests seems safely retryable.
405 retry_adapter = requests.adapters.HTTPAdapter(max_retries=3)
406 self._auth_request_session.mount("https://", retry_adapter)
408 # Do not pass `self` as the session here, as it can lead to
409 # infinite recursion.
410 auth_request = Request(self._auth_request_session)
411 else:
412 self._auth_request_session = None
414 # Request instance used by internal methods (for example,
415 # credentials.refresh).
416 self._auth_request = auth_request
418 # https://google.aip.dev/auth/4111
419 # Attempt to use self-signed JWTs when a service account is used.
420 if isinstance(self.credentials, service_account.Credentials):
421 self.credentials._create_self_signed_jwt(
422 "https://{}/".format(self._default_host) if self._default_host else None
423 )
425 def configure_mtls_channel(self, client_cert_callback=None):
426 """Configure the client certificate and key for SSL connection.
428 The function does nothing unless `GOOGLE_API_USE_CLIENT_CERTIFICATE` is
429 explicitly set to `true`. In this case if client certificate and key are
430 successfully obtained (from the given client_cert_callback or from application
431 default SSL credentials), a :class:`_MutualTlsAdapter` instance will be mounted
432 to "https://" prefix.
434 Args:
435 client_cert_callback (Optional[Callable[[], (bytes, bytes)]]):
436 The optional callback returns the client certificate and private
437 key bytes both in PEM format.
438 If the callback is None, application default SSL credentials
439 will be used.
441 Raises:
442 google.auth.exceptions.MutualTLSChannelError: If mutual TLS channel
443 creation failed for any reason.
444 """
445 use_client_cert = os.getenv(
446 environment_vars.GOOGLE_API_USE_CLIENT_CERTIFICATE, "false"
447 )
448 if use_client_cert != "true":
449 self._is_mtls = False
450 return
452 try:
453 import OpenSSL
454 except ImportError as caught_exc:
455 new_exc = exceptions.MutualTLSChannelError(caught_exc)
456 raise new_exc from caught_exc
458 try:
459 (
460 self._is_mtls,
461 cert,
462 key,
463 ) = google.auth.transport._mtls_helper.get_client_cert_and_key(
464 client_cert_callback
465 )
467 if self._is_mtls:
468 mtls_adapter = _MutualTlsAdapter(cert, key)
469 self.mount("https://", mtls_adapter)
470 except (
471 exceptions.ClientCertError,
472 ImportError,
473 OpenSSL.crypto.Error,
474 ) as caught_exc:
475 new_exc = exceptions.MutualTLSChannelError(caught_exc)
476 raise new_exc from caught_exc
478 def request(
479 self,
480 method,
481 url,
482 data=None,
483 headers=None,
484 max_allowed_time=None,
485 timeout=_DEFAULT_TIMEOUT,
486 **kwargs
487 ):
488 """Implementation of Requests' request.
490 Args:
491 timeout (Optional[Union[float, Tuple[float, float]]]):
492 The amount of time in seconds to wait for the server response
493 with each individual request. Can also be passed as a tuple
494 ``(connect_timeout, read_timeout)``. See :meth:`requests.Session.request`
495 documentation for details.
496 max_allowed_time (Optional[float]):
497 If the method runs longer than this, a ``Timeout`` exception is
498 automatically raised. Unlike the ``timeout`` parameter, this
499 value applies to the total method execution time, even if
500 multiple requests are made under the hood.
502 Mind that it is not guaranteed that the timeout error is raised
503 at ``max_allowed_time``. It might take longer, for example, if
504 an underlying request takes a lot of time, but the request
505 itself does not timeout, e.g. if a large file is being
506 transmitted. The timout error will be raised after such
507 request completes.
508 """
509 # pylint: disable=arguments-differ
510 # Requests has a ton of arguments to request, but only two
511 # (method, url) are required. We pass through all of the other
512 # arguments to super, so no need to exhaustively list them here.
514 # Use a kwarg for this instead of an attribute to maintain
515 # thread-safety.
516 _credential_refresh_attempt = kwargs.pop("_credential_refresh_attempt", 0)
518 # Make a copy of the headers. They will be modified by the credentials
519 # and we want to pass the original headers if we recurse.
520 request_headers = headers.copy() if headers is not None else {}
522 # Do not apply the timeout unconditionally in order to not override the
523 # _auth_request's default timeout.
524 auth_request = (
525 self._auth_request
526 if timeout is None
527 else functools.partial(self._auth_request, timeout=timeout)
528 )
530 remaining_time = max_allowed_time
532 with TimeoutGuard(remaining_time) as guard:
533 self.credentials.before_request(auth_request, method, url, request_headers)
534 remaining_time = guard.remaining_timeout
536 with TimeoutGuard(remaining_time) as guard:
537 response = super(AuthorizedSession, self).request(
538 method,
539 url,
540 data=data,
541 headers=request_headers,
542 timeout=timeout,
543 **kwargs
544 )
545 remaining_time = guard.remaining_timeout
547 # If the response indicated that the credentials needed to be
548 # refreshed, then refresh the credentials and re-attempt the
549 # request.
550 # A stored token may expire between the time it is retrieved and
551 # the time the request is made, so we may need to try twice.
552 if (
553 response.status_code in self._refresh_status_codes
554 and _credential_refresh_attempt < self._max_refresh_attempts
555 ):
557 _LOGGER.info(
558 "Refreshing credentials due to a %s response. Attempt %s/%s.",
559 response.status_code,
560 _credential_refresh_attempt + 1,
561 self._max_refresh_attempts,
562 )
564 # Do not apply the timeout unconditionally in order to not override the
565 # _auth_request's default timeout.
566 auth_request = (
567 self._auth_request
568 if timeout is None
569 else functools.partial(self._auth_request, timeout=timeout)
570 )
572 with TimeoutGuard(remaining_time) as guard:
573 self.credentials.refresh(auth_request)
574 remaining_time = guard.remaining_timeout
576 # Recurse. Pass in the original headers, not our modified set, but
577 # do pass the adjusted max allowed time (i.e. the remaining total time).
578 return self.request(
579 method,
580 url,
581 data=data,
582 headers=headers,
583 max_allowed_time=remaining_time,
584 timeout=timeout,
585 _credential_refresh_attempt=_credential_refresh_attempt + 1,
586 **kwargs
587 )
589 return response
591 @property
592 def is_mtls(self):
593 """Indicates if the created SSL channel is mutual TLS."""
594 return self._is_mtls
596 def close(self):
597 if self._auth_request_session is not None:
598 self._auth_request_session.close()
599 super(AuthorizedSession, self).close()