def get_access_token(verification_code):
"""Get the access token from verification code.
See: https://developers.google.com/identity/protocols/OAuth2InstalledApp
"""
client_id = db_config.get_value('reproduce_tool_client_id')
if not client_id:
raise helpers.UnauthorizedException('Client id not configured.')
client_secret = db_config.get_value('reproduce_tool_client_secret')
if not client_secret:
raise helpers.UnauthorizedException('Client secret not configured.')
response = requests.post(
'https://www.googleapis.com/oauth2/v4/token',
headers={'Content-Type': 'application/x-www-form-urlencoded'},
data={
'code': verification_code,
'client_id': client_id,
'client_secret': client_secret,
'redirect_uri': 'urn:ietf:wg:oauth:2.0:oob',
'grant_type': 'authorization_code'
})
if response.status_code != 200:
raise helpers.UnauthorizedException('Invalid verification code (%s): %s' %
(verification_code, response.text))
try:
data = json.loads(response.text)
return data['access_token']
except (KeyError, ValueError):
raise helpers.EarlyExitException(
'Parsing the JSON response body failed: %s' % response.text, 500)
def get_email_and_access_token(authorization):
"""Get user email from the request.
See: https://developers.google.com/identity/protocols/OAuth2InstalledApp
"""
if authorization.startswith(VERIFICATION_CODE_PREFIX):
verification_code = authorization.split(' ')[1]
access_token = get_access_token(verification_code)
authorization = BEARER_PREFIX + access_token
if not authorization.startswith(BEARER_PREFIX):
raise helpers.UnauthorizedException(
'The Authorization header is invalid. It should have been started with'
" '%s'." % BEARER_PREFIX)
access_token = authorization.split(' ')[1]
response = requests.get('https://www.googleapis.com/oauth2/v3/tokeninfo',
params={'access_token': access_token})
if response.status_code != 200:
raise helpers.UnauthorizedException(
'Failed to authorize. The Authorization header (%s) might be invalid.'
% authorization)
try:
data = json.loads(response.text)
# Whitelist service accounts. They have different client IDs (or aud).
# Therefore, we check against their email directly.
if data.get('email_verified') and data.get('email') in _auth_config(
).get('whitelisted_oauth_emails', default=[]):
return data['email'], authorization
# Validate that this is an explicitly whitelisted client ID, or the client
# ID for the reproduce tool.
whitelisted_client_ids = _auth_config().get(
'whitelisted_oauth_client_ids', default=[])
reproduce_tool_client_id = db_config.get_value(
'reproduce_tool_client_id')
if reproduce_tool_client_id:
whitelisted_client_ids += [reproduce_tool_client_id]
if data.get('aud') not in whitelisted_client_ids:
raise helpers.UnauthorizedException(
"The access token doesn't belong to one of the allowed OAuth clients"
': %s.' % response.text)
if not data.get('email_verified'):
raise helpers.UnauthorizedException(
'The email (%s) is not verified: %s.' %
(data.get('email'), response.text))
return data['email'], authorization
except (KeyError, ValueError) as e:
raise helpers.EarlyExitException(
'Parsing the JSON response body failed: %s' % response.text,
500) from e
def wrapper(self):
"""Wrapper."""
try:
bearer_token = request.headers.get('Authorization', '')
if not bearer_token.startswith(BEARER_PREFIX):
raise helpers.UnauthorizedException('Missing or invalid bearer token.')
token = bearer_token.split(' ')[1]
claim = id_token.verify_oauth2_token(token, google_requests.Request())
except google.auth.exceptions.GoogleAuthError as e:
raise helpers.UnauthorizedException('Invalid ID token.') from e
if (not claim.get('email_verified') or
claim.get('email') != utils.service_account_email()):
raise helpers.UnauthorizedException('Invalid ID token.')
message = pubsub.raw_message_to_message(json.loads(request.data.decode()))
return func(self, message)
def check_access_and_get_testcase(testcase_id):
"""Check the failed attempt count and get the testcase."""
if not helpers.get_user_email():
raise helpers.UnauthorizedException()
if not testcase_id:
raise helpers.EarlyExitException('No test case specified!', 404)
try:
testcase = data_handler.get_testcase_by_id(testcase_id)
except errors.InvalidTestcaseError:
raise helpers.EarlyExitException('Invalid test case!', 404)
if not can_user_access_testcase(testcase):
raise helpers.AccessDeniedException()
return testcase
