def refresh(self, request): client = hvac.Client(url=self._vault_host, token=self._vault_token) if client.is_authenticated() == False: raise exceptions.GoogleAuthError("Unable to connect to Vault Server" ) try: token_response = client.secrets.gcp.generate_oauth2_access_token(self._roleset) self.token = token_response["data"]["token"] self.expiry = datetime.fromtimestamp(token_response["data"]["expires_at_seconds"]) except (Forbidden) as ex: raise exceptions.GoogleAuthError("Unable to get Vault Token:" + ex )
def verify_oauth2_token(id_token, request, audience=None): """Verifies an ID Token issued by Google's OAuth 2.0 authorization server. Args: id_token (Union[str, bytes]): The encoded token. request (google.auth.transport.Request): The object used to make HTTP requests. audience (str): The audience that this token is intended for. This is typically your application's OAuth 2.0 client ID. If None then the audience is not verified. Returns: Mapping[str, Any]: The decoded token. Raises: exceptions.GoogleAuthError: If the issuer is invalid. """ idinfo = verify_token(id_token, request, audience=audience, certs_url=_GOOGLE_OAUTH2_CERTS_URL) if idinfo["iss"] not in _GOOGLE_ISSUERS: raise exceptions.GoogleAuthError( "Wrong issuer. 'iss' should be one of the following: {}".format( _GOOGLE_ISSUERS)) return idinfo
def __init__( self, target_credentials, target_audience=None, include_email=False, quota_project_id=None, ): """ Args: target_credentials (google.auth.Credentials): The target credential used as to acquire the id tokens for. target_audience (string): Audience to issue the token for. include_email (bool): Include email in IdToken quota_project_id (Optional[str]): The project ID used for quota and billing. """ super(IDTokenCredentials, self).__init__() if not isinstance(target_credentials, Credentials): raise exceptions.GoogleAuthError("Provided Credential must be " "impersonated_credentials") self._target_credentials = target_credentials self._target_audience = target_audience self._include_email = include_email self._quota_project_id = quota_project_id
def __init__( self, source_credentials, downscoped_options={}, ): """ Args: source_credentials (google.auth.Credentials): The source credential used as to acquire the downscoped credentials. access_boundary_rules (Sequence): JSON structure format for a list bound tokens { "accessBoundaryRules" : [ { "availableResource" : "//storage.googleapis.com/projects/_/buckets/bucketA", "availablePermissions": ["inRole:roles/storage.objectViewer"], "availabilityCondition" : { "title" : "obj-prefixes", "expression" : "resource.name.startsWith(\"projects/_/buckets/bucketA/objects/foo.txt\")" } } ] } """ super(Credentials, self).__init__() self._source_credentials = copy.copy(source_credentials) if not 'accessBoundary' in downscoped_options: raise exceptions.GoogleAuthError( "Provided access_boundary_rules must include accessBoundary dictionary key" ) self._downscoped_options = downscoped_options self.token = None self.expiry = _helpers.utcnow()
def testGetForAccountException(self): self.StartObjectPatch( store, 'Load', side_effect=google_auth_exceptions.GoogleAuthError()) with self.assertRaises(refresh_token.LoadingCredentialsError): refresh_token.GetForAccount('my-account')
def __init__( self, vault_token, vault_host, roleset ): super(Credentials, self).__init__() if (vault_token == None): raise exceptions.GoogleAuthError( "vault_token, vault_host, roleset must be provided" ) self._vault_token = vault_token self._vault_host = vault_host self._roleset = roleset self.token = None self.expiry = _helpers.utcnow()
async def verify_oauth2_token(id_token, request, audience=None, clock_skew_in_seconds=0): """Verifies an ID Token issued by Google's OAuth 2.0 authorization server. Args: id_token (Union[str, bytes]): The encoded token. request (google.auth.transport.Request): The object used to make HTTP requests. This must be an aiohttp request. audience (str): The audience that this token is intended for. This is typically your application's OAuth 2.0 client ID. If None then the audience is not verified. clock_skew_in_seconds (int): The clock skew used for `iat` and `exp` validation. Returns: Mapping[str, Any]: The decoded token. Raises: exceptions.GoogleAuthError: If the issuer is invalid. """ idinfo = await verify_token( id_token, request, audience=audience, certs_url=sync_id_token._GOOGLE_OAUTH2_CERTS_URL, clock_skew_in_seconds=clock_skew_in_seconds, ) if idinfo["iss"] not in sync_id_token._GOOGLE_ISSUERS: raise exceptions.GoogleAuthError( "Wrong issuer. 'iss' should be one of the following: {}".format( sync_id_token._GOOGLE_ISSUERS)) return idinfo