def refresh(self, request):
client = hvac.Client(url=self._vault_host, token=self._vault_token)
if client.is_authenticated() == False:
raise exceptions.GoogleAuthError("Unable to connect to Vault Server" )
try:
token_response = client.secrets.gcp.generate_oauth2_access_token(self._roleset)
self.token = token_response["data"]["token"]
self.expiry = datetime.fromtimestamp(token_response["data"]["expires_at_seconds"])
except (Forbidden) as ex:
raise exceptions.GoogleAuthError("Unable to get Vault Token:" + ex )
def verify_oauth2_token(id_token, request, audience=None):
"""Verifies an ID Token issued by Google's OAuth 2.0 authorization server.
Args:
id_token (Union[str, bytes]): The encoded token.
request (google.auth.transport.Request): The object used to make
HTTP requests.
audience (str): The audience that this token is intended for. This is
typically your application's OAuth 2.0 client ID. If None then the
audience is not verified.
Returns:
Mapping[str, Any]: The decoded token.
Raises:
exceptions.GoogleAuthError: If the issuer is invalid.
"""
idinfo = verify_token(id_token,
request,
audience=audience,
certs_url=_GOOGLE_OAUTH2_CERTS_URL)
if idinfo["iss"] not in _GOOGLE_ISSUERS:
raise exceptions.GoogleAuthError(
"Wrong issuer. 'iss' should be one of the following: {}".format(
_GOOGLE_ISSUERS))
return idinfo
def __init__(
self,
target_credentials,
target_audience=None,
include_email=False,
quota_project_id=None,
):
"""
Args:
target_credentials (google.auth.Credentials): The target
credential used as to acquire the id tokens for.
target_audience (string): Audience to issue the token for.
include_email (bool): Include email in IdToken
quota_project_id (Optional[str]): The project ID used for
quota and billing.
"""
super(IDTokenCredentials, self).__init__()
if not isinstance(target_credentials, Credentials):
raise exceptions.GoogleAuthError("Provided Credential must be "
"impersonated_credentials")
self._target_credentials = target_credentials
self._target_audience = target_audience
self._include_email = include_email
self._quota_project_id = quota_project_id
def __init__(
self,
source_credentials,
downscoped_options={},
):
"""
Args:
source_credentials (google.auth.Credentials): The source credential
used as to acquire the downscoped credentials.
access_boundary_rules (Sequence): JSON structure format for a list
bound tokens
{
"accessBoundaryRules" : [
{
"availableResource" : "//storage.googleapis.com/projects/_/buckets/bucketA",
"availablePermissions": ["inRole:roles/storage.objectViewer"],
"availabilityCondition" : {
"title" : "obj-prefixes",
"expression" : "resource.name.startsWith(\"projects/_/buckets/bucketA/objects/foo.txt\")"
}
}
]
}
"""
super(Credentials, self).__init__()
self._source_credentials = copy.copy(source_credentials)
if not 'accessBoundary' in downscoped_options:
raise exceptions.GoogleAuthError(
"Provided access_boundary_rules must include accessBoundary dictionary key"
)
self._downscoped_options = downscoped_options
self.token = None
self.expiry = _helpers.utcnow()
def testGetForAccountException(self):
self.StartObjectPatch(
store,
'Load',
side_effect=google_auth_exceptions.GoogleAuthError())
with self.assertRaises(refresh_token.LoadingCredentialsError):
refresh_token.GetForAccount('my-account')
def __init__(
self,
vault_token,
vault_host,
roleset
):
super(Credentials, self).__init__()
if (vault_token == None):
raise exceptions.GoogleAuthError(
"vault_token, vault_host, roleset must be provided"
)
self._vault_token = vault_token
self._vault_host = vault_host
self._roleset = roleset
self.token = None
self.expiry = _helpers.utcnow()
async def verify_oauth2_token(id_token,
request,
audience=None,
clock_skew_in_seconds=0):
"""Verifies an ID Token issued by Google's OAuth 2.0 authorization server.
Args:
id_token (Union[str, bytes]): The encoded token.
request (google.auth.transport.Request): The object used to make
HTTP requests. This must be an aiohttp request.
audience (str): The audience that this token is intended for. This is
typically your application's OAuth 2.0 client ID. If None then the
audience is not verified.
clock_skew_in_seconds (int): The clock skew used for `iat` and `exp`
validation.
Returns:
Mapping[str, Any]: The decoded token.
Raises:
exceptions.GoogleAuthError: If the issuer is invalid.
"""
idinfo = await verify_token(
id_token,
request,
audience=audience,
certs_url=sync_id_token._GOOGLE_OAUTH2_CERTS_URL,
clock_skew_in_seconds=clock_skew_in_seconds,
)
if idinfo["iss"] not in sync_id_token._GOOGLE_ISSUERS:
raise exceptions.GoogleAuthError(
"Wrong issuer. 'iss' should be one of the following: {}".format(
sync_id_token._GOOGLE_ISSUERS))
return idinfo
