Coverage for /pythoncovmergedfiles/medio/medio/usr/local/lib/python3.8/site-packages/google/oauth2/_client.py: 21%
117 statements
« prev ^ index » next coverage.py v7.2.2, created at 2023-03-26 07:30 +0000
1# Copyright 2016 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
15"""OAuth 2.0 client.
17This is a client for interacting with an OAuth 2.0 authorization server's
18token endpoint.
20For more information about the token endpoint, see
21`Section 3.1 of rfc6749`_
23.. _Section 3.1 of rfc6749: https://tools.ietf.org/html/rfc6749#section-3.2
24"""
26import datetime
27import json
29import six
30from six.moves import http_client
31from six.moves import urllib
33from google.auth import _exponential_backoff
34from google.auth import _helpers
35from google.auth import exceptions
36from google.auth import jwt
37from google.auth import transport
39_URLENCODED_CONTENT_TYPE = "application/x-www-form-urlencoded"
40_JSON_CONTENT_TYPE = "application/json"
41_JWT_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:jwt-bearer"
42_REFRESH_GRANT_TYPE = "refresh_token"
45def _handle_error_response(response_data, retryable_error):
46 """Translates an error response into an exception.
48 Args:
49 response_data (Mapping | str): The decoded response data.
50 retryable_error Optional[bool]: A boolean indicating if an error is retryable.
51 Defaults to False.
53 Raises:
54 google.auth.exceptions.RefreshError: The errors contained in response_data.
55 """
57 retryable_error = retryable_error if retryable_error else False
59 if isinstance(response_data, six.string_types):
60 raise exceptions.RefreshError(response_data, retryable=retryable_error)
61 try:
62 error_details = "{}: {}".format(
63 response_data["error"], response_data.get("error_description")
64 )
65 # If no details could be extracted, use the response data.
66 except (KeyError, ValueError):
67 error_details = json.dumps(response_data)
69 raise exceptions.RefreshError(
70 error_details, response_data, retryable=retryable_error
71 )
74def _can_retry(status_code, response_data):
75 """Checks if a request can be retried by inspecting the status code
76 and response body of the request.
78 Args:
79 status_code (int): The response status code.
80 response_data (Mapping | str): The decoded response data.
82 Returns:
83 bool: True if the response is retryable. False otherwise.
84 """
85 if status_code in transport.DEFAULT_RETRYABLE_STATUS_CODES:
86 return True
88 try:
89 # For a failed response, response_body could be a string
90 error_desc = response_data.get("error_description") or ""
91 error_code = response_data.get("error") or ""
93 if not isinstance(error_code, six.string_types) or not isinstance(
94 error_desc, six.string_types
95 ):
96 return False
98 # Per Oauth 2.0 RFC https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1.2.1
99 # This is needed because a redirect will not return a 500 status code.
100 retryable_error_descriptions = {
101 "internal_failure",
102 "server_error",
103 "temporarily_unavailable",
104 }
106 if any(e in retryable_error_descriptions for e in (error_code, error_desc)):
107 return True
109 except AttributeError:
110 pass
112 return False
115def _parse_expiry(response_data):
116 """Parses the expiry field from a response into a datetime.
118 Args:
119 response_data (Mapping): The JSON-parsed response data.
121 Returns:
122 Optional[datetime]: The expiration or ``None`` if no expiration was
123 specified.
124 """
125 expires_in = response_data.get("expires_in", None)
127 if expires_in is not None:
128 # Some services do not respect the OAUTH2.0 RFC and send expires_in as a
129 # JSON String.
130 if isinstance(expires_in, str):
131 expires_in = int(expires_in)
133 return _helpers.utcnow() + datetime.timedelta(seconds=expires_in)
134 else:
135 return None
138def _token_endpoint_request_no_throw(
139 request,
140 token_uri,
141 body,
142 access_token=None,
143 use_json=False,
144 can_retry=True,
145 **kwargs
146):
147 """Makes a request to the OAuth 2.0 authorization server's token endpoint.
148 This function doesn't throw on response errors.
150 Args:
151 request (google.auth.transport.Request): A callable used to make
152 HTTP requests.
153 token_uri (str): The OAuth 2.0 authorizations server's token endpoint
154 URI.
155 body (Mapping[str, str]): The parameters to send in the request body.
156 access_token (Optional(str)): The access token needed to make the request.
157 use_json (Optional(bool)): Use urlencoded format or json format for the
158 content type. The default value is False.
159 can_retry (bool): Enable or disable request retry behavior.
160 kwargs: Additional arguments passed on to the request method. The
161 kwargs will be passed to `requests.request` method, see:
162 https://docs.python-requests.org/en/latest/api/#requests.request.
163 For example, you can use `cert=("cert_pem_path", "key_pem_path")`
164 to set up client side SSL certificate, and use
165 `verify="ca_bundle_path"` to set up the CA certificates for sever
166 side SSL certificate verification.
168 Returns:
169 Tuple(bool, Mapping[str, str], Optional[bool]): A boolean indicating
170 if the request is successful, a mapping for the JSON-decoded response
171 data and in the case of an error a boolean indicating if the error
172 is retryable.
173 """
174 if use_json:
175 headers = {"Content-Type": _JSON_CONTENT_TYPE}
176 body = json.dumps(body).encode("utf-8")
177 else:
178 headers = {"Content-Type": _URLENCODED_CONTENT_TYPE}
179 body = urllib.parse.urlencode(body).encode("utf-8")
181 if access_token:
182 headers["Authorization"] = "Bearer {}".format(access_token)
184 def _perform_request():
185 response = request(
186 method="POST", url=token_uri, headers=headers, body=body, **kwargs
187 )
188 response_body = (
189 response.data.decode("utf-8")
190 if hasattr(response.data, "decode")
191 else response.data
192 )
193 response_data = ""
194 try:
195 # response_body should be a JSON
196 response_data = json.loads(response_body)
197 except ValueError:
198 response_data = response_body
200 if response.status == http_client.OK:
201 return True, response_data, None
203 retryable_error = _can_retry(
204 status_code=response.status, response_data=response_data
205 )
207 return False, response_data, retryable_error
209 request_succeeded, response_data, retryable_error = _perform_request()
211 if request_succeeded or not retryable_error or not can_retry:
212 return request_succeeded, response_data, retryable_error
214 retries = _exponential_backoff.ExponentialBackoff()
215 for _ in retries:
216 request_succeeded, response_data, retryable_error = _perform_request()
217 if request_succeeded or not retryable_error:
218 return request_succeeded, response_data, retryable_error
220 return False, response_data, retryable_error
223def _token_endpoint_request(
224 request,
225 token_uri,
226 body,
227 access_token=None,
228 use_json=False,
229 can_retry=True,
230 **kwargs
231):
232 """Makes a request to the OAuth 2.0 authorization server's token endpoint.
234 Args:
235 request (google.auth.transport.Request): A callable used to make
236 HTTP requests.
237 token_uri (str): The OAuth 2.0 authorizations server's token endpoint
238 URI.
239 body (Mapping[str, str]): The parameters to send in the request body.
240 access_token (Optional(str)): The access token needed to make the request.
241 use_json (Optional(bool)): Use urlencoded format or json format for the
242 content type. The default value is False.
243 can_retry (bool): Enable or disable request retry behavior.
244 kwargs: Additional arguments passed on to the request method. The
245 kwargs will be passed to `requests.request` method, see:
246 https://docs.python-requests.org/en/latest/api/#requests.request.
247 For example, you can use `cert=("cert_pem_path", "key_pem_path")`
248 to set up client side SSL certificate, and use
249 `verify="ca_bundle_path"` to set up the CA certificates for sever
250 side SSL certificate verification.
252 Returns:
253 Mapping[str, str]: The JSON-decoded response data.
255 Raises:
256 google.auth.exceptions.RefreshError: If the token endpoint returned
257 an error.
258 """
260 response_status_ok, response_data, retryable_error = _token_endpoint_request_no_throw(
261 request,
262 token_uri,
263 body,
264 access_token=access_token,
265 use_json=use_json,
266 can_retry=can_retry,
267 **kwargs
268 )
269 if not response_status_ok:
270 _handle_error_response(response_data, retryable_error)
271 return response_data
274def jwt_grant(request, token_uri, assertion, can_retry=True):
275 """Implements the JWT Profile for OAuth 2.0 Authorization Grants.
277 For more details, see `rfc7523 section 4`_.
279 Args:
280 request (google.auth.transport.Request): A callable used to make
281 HTTP requests.
282 token_uri (str): The OAuth 2.0 authorizations server's token endpoint
283 URI.
284 assertion (str): The OAuth 2.0 assertion.
285 can_retry (bool): Enable or disable request retry behavior.
287 Returns:
288 Tuple[str, Optional[datetime], Mapping[str, str]]: The access token,
289 expiration, and additional data returned by the token endpoint.
291 Raises:
292 google.auth.exceptions.RefreshError: If the token endpoint returned
293 an error.
295 .. _rfc7523 section 4: https://tools.ietf.org/html/rfc7523#section-4
296 """
297 body = {"assertion": assertion, "grant_type": _JWT_GRANT_TYPE}
299 response_data = _token_endpoint_request(
300 request, token_uri, body, can_retry=can_retry
301 )
303 try:
304 access_token = response_data["access_token"]
305 except KeyError as caught_exc:
306 new_exc = exceptions.RefreshError(
307 "No access token in response.", response_data, retryable=False
308 )
309 six.raise_from(new_exc, caught_exc)
311 expiry = _parse_expiry(response_data)
313 return access_token, expiry, response_data
316def id_token_jwt_grant(request, token_uri, assertion, can_retry=True):
317 """Implements the JWT Profile for OAuth 2.0 Authorization Grants, but
318 requests an OpenID Connect ID Token instead of an access token.
320 This is a variant on the standard JWT Profile that is currently unique
321 to Google. This was added for the benefit of authenticating to services
322 that require ID Tokens instead of access tokens or JWT bearer tokens.
324 Args:
325 request (google.auth.transport.Request): A callable used to make
326 HTTP requests.
327 token_uri (str): The OAuth 2.0 authorization server's token endpoint
328 URI.
329 assertion (str): JWT token signed by a service account. The token's
330 payload must include a ``target_audience`` claim.
331 can_retry (bool): Enable or disable request retry behavior.
333 Returns:
334 Tuple[str, Optional[datetime], Mapping[str, str]]:
335 The (encoded) Open ID Connect ID Token, expiration, and additional
336 data returned by the endpoint.
338 Raises:
339 google.auth.exceptions.RefreshError: If the token endpoint returned
340 an error.
341 """
342 body = {"assertion": assertion, "grant_type": _JWT_GRANT_TYPE}
344 response_data = _token_endpoint_request(
345 request, token_uri, body, can_retry=can_retry
346 )
348 try:
349 id_token = response_data["id_token"]
350 except KeyError as caught_exc:
351 new_exc = exceptions.RefreshError(
352 "No ID token in response.", response_data, retryable=False
353 )
354 six.raise_from(new_exc, caught_exc)
356 payload = jwt.decode(id_token, verify=False)
357 expiry = datetime.datetime.utcfromtimestamp(payload["exp"])
359 return id_token, expiry, response_data
362def _handle_refresh_grant_response(response_data, refresh_token):
363 """Extract tokens from refresh grant response.
365 Args:
366 response_data (Mapping[str, str]): Refresh grant response data.
367 refresh_token (str): Current refresh token.
369 Returns:
370 Tuple[str, str, Optional[datetime], Mapping[str, str]]: The access token,
371 refresh token, expiration, and additional data returned by the token
372 endpoint. If response_data doesn't have refresh token, then the current
373 refresh token will be returned.
375 Raises:
376 google.auth.exceptions.RefreshError: If the token endpoint returned
377 an error.
378 """
379 try:
380 access_token = response_data["access_token"]
381 except KeyError as caught_exc:
382 new_exc = exceptions.RefreshError(
383 "No access token in response.", response_data, retryable=False
384 )
385 six.raise_from(new_exc, caught_exc)
387 refresh_token = response_data.get("refresh_token", refresh_token)
388 expiry = _parse_expiry(response_data)
390 return access_token, refresh_token, expiry, response_data
393def refresh_grant(
394 request,
395 token_uri,
396 refresh_token,
397 client_id,
398 client_secret,
399 scopes=None,
400 rapt_token=None,
401 can_retry=True,
402):
403 """Implements the OAuth 2.0 refresh token grant.
405 For more details, see `rfc678 section 6`_.
407 Args:
408 request (google.auth.transport.Request): A callable used to make
409 HTTP requests.
410 token_uri (str): The OAuth 2.0 authorizations server's token endpoint
411 URI.
412 refresh_token (str): The refresh token to use to get a new access
413 token.
414 client_id (str): The OAuth 2.0 application's client ID.
415 client_secret (str): The Oauth 2.0 appliaction's client secret.
416 scopes (Optional(Sequence[str])): Scopes to request. If present, all
417 scopes must be authorized for the refresh token. Useful if refresh
418 token has a wild card scope (e.g.
419 'https://www.googleapis.com/auth/any-api').
420 rapt_token (Optional(str)): The reauth Proof Token.
421 can_retry (bool): Enable or disable request retry behavior.
423 Returns:
424 Tuple[str, str, Optional[datetime], Mapping[str, str]]: The access
425 token, new or current refresh token, expiration, and additional data
426 returned by the token endpoint.
428 Raises:
429 google.auth.exceptions.RefreshError: If the token endpoint returned
430 an error.
432 .. _rfc6748 section 6: https://tools.ietf.org/html/rfc6749#section-6
433 """
434 body = {
435 "grant_type": _REFRESH_GRANT_TYPE,
436 "client_id": client_id,
437 "client_secret": client_secret,
438 "refresh_token": refresh_token,
439 }
440 if scopes:
441 body["scope"] = " ".join(scopes)
442 if rapt_token:
443 body["rapt"] = rapt_token
445 response_data = _token_endpoint_request(
446 request, token_uri, body, can_retry=can_retry
447 )
448 return _handle_refresh_grant_response(response_data, refresh_token)