def test__handle_error_response_non_json():
response_data = 'Help, I\'m alive'
with pytest.raises(exceptions.RefreshError) as excinfo:
_client._handle_error_response(response_data)
assert excinfo.match(r'Help, I\'m alive')
async def _token_endpoint_request(session: ClientSession, token_uri, body):
"""Makes a request to the OAuth 2.0 authorization server's token endpoint.
Args:
request (google.auth.transport.Request): A callable used to make
HTTP requests.
token_uri (str): The OAuth 2.0 authorizations server's token endpoint
URI.
body (Mapping[str, str]): The parameters to send in the request body.
Returns:
Mapping[str, str]: The JSON-decoded response data.
Raises:
google.auth.exceptions.RefreshError: If the token endpoint returned
an error.
"""
body = urllib.parse.urlencode(body)
headers = {
'content-type': _URLENCODED_CONTENT_TYPE,
}
async with session.post(url=token_uri, headers=headers,
data=body) as response:
response_body = await response.content.read()
if response.status != HTTPStatus.OK:
_handle_error_response(response_body)
response_data = json.loads(response_body)
return response_data
def test__handle_error_response():
response_data = json.dumps({"error": "help", "error_description": "I'm alive"})
with pytest.raises(exceptions.RefreshError) as excinfo:
_client._handle_error_response(response_data)
assert excinfo.match(r"help: I\'m alive")
def test__handle_error_response_non_json():
response_data = {"foo": "bar"}
with pytest.raises(exceptions.RefreshError) as excinfo:
_client._handle_error_response(response_data)
assert excinfo.match(r"{\"foo\": \"bar\"}")
async def _token_endpoint_request(request,
token_uri,
body,
access_token=None,
use_json=False):
"""Makes a request to the OAuth 2.0 authorization server's token endpoint.
Args:
request (google.auth.transport.Request): A callable used to make
HTTP requests.
token_uri (str): The OAuth 2.0 authorizations server's token endpoint
URI.
body (Mapping[str, str]): The parameters to send in the request body.
access_token (Optional(str)): The access token needed to make the request.
use_json (Optional(bool)): Use urlencoded format or json format for the
content type. The default value is False.
Returns:
Mapping[str, str]: The JSON-decoded response data.
Raises:
google.auth.exceptions.RefreshError: If the token endpoint returned
an error.
"""
response_status_ok, response_data = await _token_endpoint_request_no_throw(
request, token_uri, body, access_token=access_token, use_json=use_json)
if not response_status_ok:
client._handle_error_response(response_data)
return response_data
def _HandleErrorResponse(response_body):
""""Translates an error response into an exception.
Args:
response_body: str, The decoded response data.
Raises:
google.auth.exceptions.RefreshError: If the token endpoint returned
an server internal error.
ContextAwareAccessDeniedError: if the error was due to a context aware
access restriction.
ReauthRequiredError: If reauth is required.
"""
error_data = json.loads(response_body)
error_code = error_data.get('error')
error_subtype = error_data.get('error_subtype')
if error_code == oauth2client_client.REAUTH_NEEDED_ERROR and (
error_subtype
== oauth2client_client.REAUTH_NEEDED_ERROR_INVALID_RAPT
or error_subtype
== oauth2client_client.REAUTH_NEEDED_ERROR_RAPT_REQUIRED):
raise ReauthRequiredError('reauth is required.')
try:
google_auth_client._handle_error_response(error_data) # pylint: disable=protected-access
except google_auth_exceptions.RefreshError as e:
if context_aware.IsContextAwareAccessDeniedError(e):
raise ContextAwareAccessDeniedError()
raise
def test__handle_error_response():
response_data = json.dumps({
'error': 'help',
'error_description': 'I\'m alive'})
with pytest.raises(exceptions.RefreshError) as excinfo:
_client._handle_error_response(response_data)
assert excinfo.match(r'help: I\'m alive')
def _HandleErrorResponse(response_body):
""""Translates an error response into an exception.
Args:
response_body: str, The decoded response data.
Raises:
google.auth.exceptions.RefreshError: If the token endpoint returned
an server internal error.
ReauthRequiredError: If reauth is required.
"""
error_data = json.loads(response_body)
error_code = error_data.get('error')
error_subtype = error_data.get('error_subtype')
if error_code == oauth2client_client.REAUTH_NEEDED_ERROR and (
error_subtype == oauth2client_client.REAUTH_NEEDED_ERROR_INVALID_RAPT or
error_subtype == oauth2client_client.REAUTH_NEEDED_ERROR_RAPT_REQUIRED):
raise ReauthRequiredError('The reauth is required.')
google_auth_client._handle_error_response(response_body) # pylint: disable=protected-access
async def refresh_grant(
request,
token_uri,
refresh_token,
client_id,
client_secret,
scopes=None,
rapt_token=None,
):
"""Implements the reauthentication flow.
Args:
request (google.auth.transport.Request): A callable used to make
HTTP requests. This must be an aiohttp request.
token_uri (str): The OAuth 2.0 authorizations server's token endpoint
URI.
refresh_token (str): The refresh token to use to get a new access
token.
client_id (str): The OAuth 2.0 application's client ID.
client_secret (str): The Oauth 2.0 appliaction's client secret.
scopes (Optional(Sequence[str])): Scopes to request. If present, all
scopes must be authorized for the refresh token. Useful if refresh
token has a wild card scope (e.g.
'https://www.googleapis.com/auth/any-api').
rapt_token (Optional(str)): The rapt token for reauth.
Returns:
Tuple[str, Optional[str], Optional[datetime], Mapping[str, str], str]: The
access token, new refresh token, expiration, the additional data
returned by the token endpoint, and the rapt token.
Raises:
google.auth.exceptions.RefreshError: If the token endpoint returned
an error.
"""
body = {
"grant_type": _client._REFRESH_GRANT_TYPE,
"client_id": client_id,
"client_secret": client_secret,
"refresh_token": refresh_token,
}
if scopes:
body["scope"] = " ".join(scopes)
if rapt_token:
body["rapt"] = rapt_token
response_status_ok, response_data = await _client_async._token_endpoint_request_no_throw(
request, token_uri, body)
if (not response_status_ok
and response_data.get("error") == reauth._REAUTH_NEEDED_ERROR
and (response_data.get("error_subtype")
== reauth._REAUTH_NEEDED_ERROR_INVALID_RAPT
or response_data.get("error_subtype")
== reauth._REAUTH_NEEDED_ERROR_RAPT_REQUIRED)):
rapt_token = await get_rapt_token(request,
client_id,
client_secret,
refresh_token,
token_uri,
scopes=scopes)
body["rapt"] = rapt_token
(
response_status_ok,
response_data,
) = await _client_async._token_endpoint_request_no_throw(
request, token_uri, body)
if not response_status_ok:
_client._handle_error_response(response_data)
refresh_response = _client._handle_refresh_grant_response(
response_data, refresh_token)
return refresh_response + (rapt_token, )
def refresh_grant(
request,
token_uri,
refresh_token,
client_id,
client_secret,
scopes=None,
rapt_token=None,
enable_reauth_refresh=False,
):
"""Implements the reauthentication flow.
Args:
request (google.auth.transport.Request): A callable used to make
HTTP requests.
token_uri (str): The OAuth 2.0 authorizations server's token endpoint
URI.
refresh_token (str): The refresh token to use to get a new access
token.
client_id (str): The OAuth 2.0 application's client ID.
client_secret (str): The Oauth 2.0 appliaction's client secret.
scopes (Optional(Sequence[str])): Scopes to request. If present, all
scopes must be authorized for the refresh token. Useful if refresh
token has a wild card scope (e.g.
'https://www.googleapis.com/auth/any-api').
rapt_token (Optional(str)): The rapt token for reauth.
enable_reauth_refresh (Optional[bool]): Whether reauth refresh flow
should be used. The default value is False. This option is for
gcloud only, other users should use the default value.
Returns:
Tuple[str, Optional[str], Optional[datetime], Mapping[str, str], str]: The
access token, new refresh token, expiration, the additional data
returned by the token endpoint, and the rapt token.
Raises:
google.auth.exceptions.RefreshError: If the token endpoint returned
an error.
"""
body = {
"grant_type": _client._REFRESH_GRANT_TYPE,
"client_id": client_id,
"client_secret": client_secret,
"refresh_token": refresh_token,
}
if scopes:
body["scope"] = " ".join(scopes)
if rapt_token:
body["rapt"] = rapt_token
response_status_ok, response_data = _client._token_endpoint_request_no_throw(
request, token_uri, body
)
if (
not response_status_ok
and response_data.get("error") == _REAUTH_NEEDED_ERROR
and (
response_data.get("error_subtype") == _REAUTH_NEEDED_ERROR_INVALID_RAPT
or response_data.get("error_subtype") == _REAUTH_NEEDED_ERROR_RAPT_REQUIRED
)
):
if not enable_reauth_refresh:
raise exceptions.RefreshError(
"Reauthentication is needed. Please run `gcloud auth login --update-adc` to reauthenticate."
)
rapt_token = get_rapt_token(
request, client_id, client_secret, refresh_token, token_uri, scopes=scopes
)
body["rapt"] = rapt_token
(response_status_ok, response_data) = _client._token_endpoint_request_no_throw(
request, token_uri, body
)
if not response_status_ok:
_client._handle_error_response(response_data)
return _client._handle_refresh_grant_response(response_data, refresh_token) + (
rapt_token,
)
